wpa-supplicant: Ignore CVE-2024-5290 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Peter Marko <peter.marko@siemens.com>	2024-09-28 19:42:23 +0200
committer	Steve Sakoman <steve@sakoman.com>	2024-10-11 05:47:38 -0700
commit	e828e0364a01dbb309ba23967915c549ec75340d (patch)
tree	d404ef570bb1e477868b9036c80e699907478586 /meta/recipes-devtools/python/python3-trove-classifiers
parent	ff5c6bd86fa26645ff56a4e6822f2463a223b8f1 (diff)
download	poky-e828e0364a01dbb309ba23967915c549ec75340d.tar.gz

wpa-supplicant: Ignore CVE-2024-5290

NVD CVE report [1] links Ubuntu bug [2] which has a very good description/discussion about this issue. It applies only to distros patching wpa-supplicant to allow non-root users (e.g. via netdev group) to load modules. This is not the case of Yocto. Quote: So upstream isn't vulnerable as they only expose the dbus interface to root. Downstreams like Ubuntu and Chromium added a patch that grants access to the netdev group. The patch is the problem, not the upstream code IMHO. There is also a commit [3] associated with this CVE, however that only provides build-time configuration to limit paths which can be accessed but it acts only as a mitigation for distros which allow non-root users to load crafted modules. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290 [2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613 [3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747 (From OE-Core rev: 33548479f66164f486efdb6aeba2de7da2b5b0c9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>

Diffstat (limited to 'meta/recipes-devtools/python/python3-trove-classifiers')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: